Re: TRG vger.timpanogas.org hacked
On Tue, Jun 05, 2001 at 11:30:51AM -0700, Jeff V. Merkey wrote: > On Tue, Jun 05, 2001 at 08:05:34AM +0100, Alan Cox wrote: > > > is curious as to how these folks did this. They exploited BIND 8.2.3 > > > to get in and logs indicated that someone was using a "back door" in > > Bind runs as root. > > > We are unable to determine just how they got in exactly, but they > > > kept trying and created an oops in the affected code which allowed > > > the attack to proceed. > > Are you sure they didnt in fact simply screw up live patching the kernel to > > cover their traces > Could have. The kernel is unable to dismount the root volume when booted. > I can go through the drive and remove confidential stuffd and just leave > the system intact and post the entire system image to my ftp server. This would be a good thing for those of us involved in investigating these sorts of things. :-/ > I have changed all the passwords on the server, so what's there is no > big deal. This server was public FTP and web/email, so nothing really > super "confidential" on it. > Jeff Mike -- Michael H. Warfield| (770) 985-6132 | [EMAIL PROTECTED] (The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471| possible worlds. A pessimist is sure of it! - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
RE: TRG vger.timpanogas.org hacked
On Tue, 5 Jun 2001, Randal, Phil wrote: > Bind 8.2.4 was released on May 17th, with the standard > comment "BIND 8.2.4 is the latest version of ISC BIND 8. > We strongly recommend that you upgrade to BIND 9.1 or, if > that is not immediately possible, to BIND 8.2.4 due to > certain security vulnerabilities in previous versions." > > However, there are no release notes on ISC's web site, > and their vulnerabilities page lists no known security > flaws in Bind 8.2.3. > > But the paranoid part of me does wonder :-) There really are no known vulnerabilities in BIND 8.2.3. There are a number of bug fixes which would make upgrading a good idea, though. The "previous versions" mentioned were those earlier than 8.2.3. Brian - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: TRG vger.timpanogas.org hacked
On Tue, Jun 05, 2001 at 08:05:34AM +0100, Alan Cox wrote: > > is curious as to how these folks did this. They exploited BIND 8.2.3 > > to get in and logs indicated that someone was using a "back door" in > Bind runs as root. It doesn't have to. In fact, I just set up a RedHat 6.2 Honeypot a couple of weeks ago researching Bind based worms that are becoming a problem. Much to my surprise, that OOB RedHat 6.2 system ran bind as "named -u named" and was running Bind under a common user id. RedHat 6.0 runs it as root and I haven't checked 6.1 yet. Don't know about the other distros, yet. > > We are unable to determine just how they got in exactly, but they > > kept trying and created an oops in the affected code which allowed > > the attack to proceed. > Are you sure they didnt in fact simply screw up live patching the kernel to > cover their traces That would be a hint that they MIGHT have been trying to get a Linux kernel stealth module going. Several of the worms I'm looking at include the Adore LKM to hide processes, files, and sockets. That worm (as several others like it) also upgrade the version of Bind they broke in through to prevent further compromise. There will be a security advisory out on these worms, probably later this week. Mike -- Michael H. Warfield| (770) 985-6132 | [EMAIL PROTECTED] (The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471| possible worlds. A pessimist is sure of it! - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: TRG vger.timpanogas.org hacked
On Tue, Jun 05, 2001 at 01:07:05PM +, Henning P. Schmiedehausen wrote: > Connected to vger.timpanogas.com. > Escape character is '^]'. > SSH-1.5-1.2.27 > > Well known exploits downloadable at any of the better hacking sites. This _may_ be misleading. I had several boxes where I patched ssh 1.2.27 as a short-term solution. Anyway, we're getting OT :-) Regards, Daniel - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: TRG vger.timpanogas.org hacked
On Tue, Jun 05, 2001 at 11:33:57AM +0100, Randal, Phil wrote: > Bind 8.2.4 was released on May 17th, with the standard > comment "BIND 8.2.4 is the latest version of ISC BIND 8. > We strongly recommend that you upgrade to BIND 9.1 or, if > that is not immediately possible, to BIND 8.2.4 due to > certain security vulnerabilities in previous versions." > > However, there are no release notes on ISC's web site, > and their vulnerabilities page lists no known security > flaws in Bind 8.2.3. That's quaint... The 8.2.4 got some immunity on running out of low fd numbers suitable for stdio at e.g. Solaris. (Is there anything else, I haven't checked.) Essentially it makes system a bit more resistant against (possibly unintentional) denial of service attacks when there are heaps and troves of TCP based resolving connections. All you need is to have some zone with so massive replies for some questions that it does not fit into UDP query/reply packet. E.g. have a few dozen different PTR records for some IP address, and you will soon see what I mean. Run that bind at some saturated load system so that the bind is slow as molass, and have lots of people asking for reversers... I can pretty much guarantee that you will see what bind 8.2.3 barfs within a day or so. Your only solution is to restart the 8.2.3. (It fails to act as resolver after the barf until reboot, it may also loose one or more of your DNS zones.) I haven't checked if 9.1.* series is also immunized for this. (That is, if it uses stdio for any file accesses anymore.) > But the paranoid part of me does wonder :-) What else there might be... > (And I haven't the time to do the diffs to see what's > changed.) > > Cheers, > > Phil > > - > Phil Randal > Network Engineer > Herefordshire Council > Hereford, UK > > > -Original Message- > > From: Daniel Roesen [mailto:[EMAIL PROTECTED]] > > Sent: 05 June 2001 11:14 > > To: [EMAIL PROTECTED] > > Subject: Re: TRG vger.timpanogas.org hacked > > > > > > On Tue, Jun 05, 2001 at 08:05:34AM +0100, Alan Cox wrote: > > > > is curious as to how these folks did this. They > > exploited BIND 8.2.3 > > > > to get in and logs indicated that someone was using a > > "back door" in > > > > > > Bind runs as root. > > > > Not if set up properly. And there is no known hole in BIND 8.2.3-REL > > so I'm wondering how Jeff found out that the intruder got in via BIND. > > - > > To unsubscribe from this list: send the line "unsubscribe > > linux-kernel" in > > the body of a message to [EMAIL PROTECTED] > > More majordomo info at http://vger.kernel.org/majordomo-info.html > > Please read the FAQ at http://www.tux.org/lkml/ > > > - > To unsubscribe from this list: send the line "unsubscribe linux-kernel" in > the body of a message to [EMAIL PROTECTED] > More majordomo info at http://vger.kernel.org/majordomo-info.html > Please read the FAQ at http://www.tux.org/lkml/ - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
RE: TRG vger.timpanogas.org hacked
Bind 8.2.4 was released on May 17th, with the standard comment "BIND 8.2.4 is the latest version of ISC BIND 8. We strongly recommend that you upgrade to BIND 9.1 or, if that is not immediately possible, to BIND 8.2.4 due to certain security vulnerabilities in previous versions." However, there are no release notes on ISC's web site, and their vulnerabilities page lists no known security flaws in Bind 8.2.3. But the paranoid part of me does wonder :-) (And I haven't the time to do the diffs to see what's changed.) Cheers, Phil - Phil Randal Network Engineer Herefordshire Council Hereford, UK > -Original Message- > From: Daniel Roesen [mailto:[EMAIL PROTECTED]] > Sent: 05 June 2001 11:14 > To: [EMAIL PROTECTED] > Subject: Re: TRG vger.timpanogas.org hacked > > > On Tue, Jun 05, 2001 at 08:05:34AM +0100, Alan Cox wrote: > > > is curious as to how these folks did this. They > exploited BIND 8.2.3 > > > to get in and logs indicated that someone was using a > "back door" in > > > > Bind runs as root. > > Not if set up properly. And there is no known hole in BIND 8.2.3-REL > so I'm wondering how Jeff found out that the intruder got in via BIND. > - > To unsubscribe from this list: send the line "unsubscribe > linux-kernel" in > the body of a message to [EMAIL PROTECTED] > More majordomo info at http://vger.kernel.org/majordomo-info.html > Please read the FAQ at http://www.tux.org/lkml/ > - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: TRG vger.timpanogas.org hacked
On Tue, Jun 05, 2001 at 08:05:34AM +0100, Alan Cox wrote: > > is curious as to how these folks did this. They exploited BIND 8.2.3 > > to get in and logs indicated that someone was using a "back door" in > > Bind runs as root. Not if set up properly. And there is no known hole in BIND 8.2.3-REL so I'm wondering how Jeff found out that the intruder got in via BIND. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
TRG vger.timpanogas.org hacked
Our master server (vger.timpanogas.org) running 2.2.19 was hacked and completely obliterated by someone using a Novell Proxy Cache via a kernel level exploit in [sys_wait+4]. They somehow created a segmentation fault down inside the kernel, then gained access to the /lib directory and relinked the libraries to a set of bogus libs, which gave them access to the server. Only public code and email is processed on this server. For those interested in reviewing this attack, I have the entire previous hard disk available and can mount it under the public ftp area if anyone is curious as to how these folks did this. They exploited BIND 8.2.3 to get in and logs indicated that someone was using a "back door" in Novell's NetWare proxy caches to perform the attack (since several different servers were used as "blinds" to get in). We are unable to determine just how they got in exactly, but they kept trying and created an oops in the affected code which allowed the attack to proceed. Jeff - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/